You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/03/01 23:27:45 UTC
[jira] [Created] (HBASE-17717) Incorrect ZK ACL set for HBase
superuser
Josh Elser created HBASE-17717:
----------------------------------
Summary: Incorrect ZK ACL set for HBase superuser
Key: HBASE-17717
URL: https://issues.apache.org/jira/browse/HBASE-17717
Project: HBase
Issue Type: Bug
Components: security, Zookeeper
Reporter: Shreya Bhat
Assignee: Josh Elser
Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security).
She noticed that, in some cases, we were seeing multiple ACLs for the same user.
{noformat}
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
{noformat}
After digging into this (and some insight from the mighty [~enis]), we realized that this was happening because of an overridden value for {{hbase.superuser}}. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}).
After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does not work as we expect.
{code}
if (superUser != null) {
acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
}
{code}
In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object. It *only* considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)